"Soft, Dangerous, Essential: An Interview with Jim Roth"

This article was reprinted, with permission, from the February 1998
issue of Internal Auditor, published by The Institute of Internal Auditors

For almost five years, Jim Roth has been trying to answer "soft control questions," especially those related to effective communication, ethics, and management philosophy. His book, Control Model Implementation: Best Practices lists almost 40 different techniques that companies are employing to measure and evaluate soft controls. In a recent interview, Roth shared his ideas about soft controls and their impact on internal auditing's future.

What is driving the shift away from hard, tangible controls toward softer ones?
Three things are happening. New technologies have given everyone in the organization access to critical decision-making information. As a result, empowered employees are making more decisions on their own, so there are fewer control activities that focus on compliance with policies and procedures. What internal auditors have always referred to as internal control was the structure of procedures that were built to ensure policies were carried out the way people at the top, who had all the information, wanted. This structure is far less relevant today, and will be even less relevant tomorrow. Empowerment is not a passing fad. It's driven by technology, and technology is not going to go away. It's only going to get better.
In addition, the control models COSO and CoCo, which provide the first authoritative definitions of what internal control is, were written at the time when employee empowerment was coming to the forefront. As a result, those models emphasize the importance of soft controls. If we intend to implement these models in our organizations, we must consider the types of controls that they present as essential.
And finally, we return to technology. Technology not only makes old controls irrelevant because it enables empowerment; it also makes it possible to build into computers whatever hard controls and audit routines might still be necessary. In areas where it's still necessary, the traditional "tick and tie and verify" kind of audit work can now be performed better by the computer, using a100 percent sample.

Where does that leave internal auditors?

If we still think our job is to evaluate compliance with policies and procedures, it leaves us nowhere. However, that's not what our organizations need. As managements move into empowerment modes, they need help with the transition. Most of all, they need the help of an independent, objective observer who will give them the kind of realistic, honest, substantial feedback that most people in the organization won't provide. So our job, I think, increasingly is going to involve evaluating these soft, intangible areas.

Is this change in focus really the biggest thing to happen in internal auditing in the next few years?

From my perspective, yes. If you talk to the leaders in the profession, they already understand the issue and are working toward determining how to audit these controls. Some are already auditing them successfully.
It's also true that an enormous gap exists between the vision of the profession's leaders and that of the average staff auditor. If you teach seminars to audit staff, which I do all the time, not many have heard this message. It's shocking to me at times.
In addition, all the major developments I see in internal auditing somehow relate to soft controls. For example, there's big interest in CSA workshops and other forms of self-assessment. We need self-assessment to audit soft controls, although not necessarily in the form of workshops.
Also, the developments in response to COSO and CoCo all concern the evaluation of soft controls. Even the developments in technology eventually direct us toward soft controls. Once you get past the dazzling effect of new technology, you can ask what this tool will enable you to do and how it changes your work. The answer is that the control activities and the audit techniques can be built into the system.
So what do internal auditors do, other than create the audit routines? We do what really adds value to the organization. We help management control an organization that is much looser, freer, and potentially more chaotic.

Are these softer controls more important to organizational success than those that are more traditional?

I think they are. Look at business failures. It's clear that the vast majority of savings and loans failures, for example, were the result of inadequate internal controls. Were those control weaknesses due to such tangibles as a lack of segregation of duties? No. If you look further, you see they were weaknesses in the control environment, which is in the realm of soft controls.
During the S&L crisis, I was working for a banking organization in Minneapolis, where a $3.5 billion S&L failure occurred. After the S&L was dissolved, our bank acquired six of the S&L's branches. When we began the first audit of those branches, we expected to find their internal control systems riddled with holes.
We were surprised to find instead that those branches were beautifully controlled according to our audit tests. They had every policy, procedure, and checklist imaginable. A teller could not swipe $10 from her drawer without getting caught. In spite of the control activities, the president and founder was able to play games; and he, his daughter, and several members of the upper management team went to jail.
After that, I asked myself if I had been an internal auditor working at that organization and using our control activity-based audit program, would I have had the foggiest notion of what was happening? Not from my audit work. The only way you would ever find out something like that is if someone tipped you off. That sort of realization makes you feel really uncomfortable about your status as a professional evaluator of control.
The reality is that the kind of traditional audit techniques we've relied upon in the past don't uncover those types of fraud very well. Maybe we need to have audit techniques that encourage someone to feed us tips, which is actually a form of self-assessment. You need those open communication lines to learn what is really happening.
For another example, consider the Barings case. Here we have a classic weakness in segregation of duties, which internal auditing pointed out in their audit report six months prior to the debacle. But what happened? Nothing. The audit committee looked at the report. Senior management looked at the report, which indicated that duties should be segregated and someone from headquarters should come out to oversee the office. It didn’t happen, though.
You get a clue as to why not when you read the audit report closely. It goes on to read, "but the biggest risk for the Singapore branch is losing the branch manager." The internal auditors said, in effect, "Yes, there is the need for segregation of duties. However, we don’t want to do anything to offend Nick Leeson." What's the real weakness here? The control environment was at fault. Any auditor can recount many stories like this where clear control weaknesses have been identified, only to have nothing happen. Why not? Because the real problem, the real risk, is elsewhere. You have to look at the soft controls.

Some individuals have suggested that special audit techniques aren't necessary for evaluating soft controls, because auditors can get a sense of what the control environment is like by conducting regular audits.
Getting a sense of the control environment is a starting point; but it's not always enough. You need to have a disciplined methodology, with tools and techniques to guide you and help you create audit evidence that will be accepted as legitimate audit evidence. Those techniques are being developed; many good tools currently are available.
For example, in the S&L example I mentioned earlier, I would contend that if the auditors weren’t using traditional techniques only, but were using CSA workshops, they would have had some warning about the president's activities. They would have received clues from staff comments and their specific statement ratings about the control environment. These clues could have led them to dig deeper in the right areas. Instead, a good audit staff using standard bank audit techniques were blind to the real risks.
We must remember, though, that CSA workshops are no longer the only answer. There are many soft control evaluation tools that have proven effective. So, the audit departments that feel workshops are not right for them now have alternative tools to accomplish the same purpose.

Public accounting firms have recently begun offering assurance services, and some concern has been voiced about competing with these big, resourceful organizations. Do you see a link between the attraction of these companies' services and the need to address soft controls?

I think the two issues are very much part and parcel of the same thing. The public accounting firms are simply getting better. They're hiring internal auditors, and they're hiring those who know how to do what management needs done, such as conducting CSA workshops.
The bottom line, however, is that if you can get the same quality of service from a truly internal audit department, that option is more cost effective and advantageous than outsourcing. You won't be paying a partner's salary, and you'll have staff who are loyal to the company, who live and breathe your company, who see their future in your company, and who are more attuned to the workings of the control environment and can perform more effective assessments. As internal auditors, we have a real edge - if we are at least as good as they are. If we're still auditing the way we were five to 10 years ago, public accounting firms are going to step in and offer the services that management needs today.
The profession's opinion has evolved throughout the last three to four years so that now we're against total outsourcing unless the internal audit department isn’t very good in the first place. I think that in the next five years, "unless they are not very good in the first place" will come to mean "unless the internal audit department doesn't have the courage or creativity to use new techniques to evaluate the soft side of control."
Businesses are going to hear from public accounting firms about how they can perform that function and about what they have done for other companies. They're going to compare their track record of success, of how they've really added value to their customers, to the traditional control activity work (which nobody ever cared that much about and is decreasing in significance) of the internal auditors.

Given all of this, what should today's internal audit departments do?

They should start by believing themselves to be internal customer service providers. Although it's an old story, it's one that only a minority of audit departments today have understood and taken to heart. Clearly understand who your customers are and what their needs are. Ask, question, conduct surveys. Then begin a process within the internal audit department to create a vision of the future based on providing service to your customers. This should fully involve every person in the department, so that it's a shared vision. If you begin here and do it right, this process almost inevitably will lead you in the right direction toward evaluating soft controls, toward eliminating outdated, antiquated, never particularly functional and now almost totally dysfunctional, practices.
Almost all of the best-practice companies have gone through that kind of "visioning" process and have reengineered themselves into something very different from what they once were. I don't think that even a majority of the audit departments have done this, but eventually every one of them must undergo the process.
To effectively evaluate the soft side of controls, auditors must demonstrate different mindsets than those of traditional auditors. This visioning process is the right way to go about changing an auditor's mindset. Mostly, it helps the whole department focus on the specific things that need to be done. I've learned that when it comes to the softer side of control, there is no "one size fits all" solution. Everything has to be tailored.
When researching my book, I didn’t talk to even two companies that were doing the same thing. But almost all of them have evolved to where they are today by going through some sort of process like this.

Aren't there some risks involved for the traditional audit department making this drastic change in vision?

Once an audit department realizes the challenge they will face by ignoring this soft side of controls, nothing is more frightening. That's especially true for the traditional audit department staffed with people who have traditional expectations. You think you're going to get shot out of the water if you ask to pursue those kinds of soft, sensitive, dangerous areas.
Where the internal audit department's transition has been successful, I've found that the staff was honestly scared at the beginning. It took some of them years to get where they wanted to go, and they had to do it slowly, carefully, and step-by-step. Virtually without exception, however, every one of them will tell you, "this is the best thing we've ever done. Because of the value we know we are adding to the organization, and the value that we're perceived to add, the audit department's status and prestige has grown tremendously."
People are not saying, "how dare you ask a question like that. Get out of my office!" They're saying, "At last, you're dealing with something that matters. You're giving me good, honest, objective feedback about these things that help me run the company and about which nobody else will be honest. I can take tough honest feedback if it's about something important."